Google Will Now Hide Personal Medical Records From Search Results (betanews.com)

← Back to Stories (view on slashdot.org)

Google Will Now Hide Personal Medical Records From Search Results (betanews.com)

Posted by msmash on Friday June 23, 2017 @03:20AM from the about-time dept.

Mark Wilson, writing for BetaNews: Google has updated its search policies without any sort of fanfare. The search engine now "may remove" -- in addition to existing categories of information -- "confidential, personal medical records of private people" from search results. That such information was not already obscured from search results may well come as something of a surprise to many people. The change has been confirmed by Google, although the company has not issued any form of announcement about it.

34 comments

Min score:

Reason:

Sort:

Plugging leaks. by Anonymous Coward · 2017-06-23 03:24 · Score: 1

That's nice. Now send notices to all the leaks.
1. Re:Plugging leaks. by BeauHD+(4450103) · 2017-06-23 03:35 · Score: 0
  
  Good luck with that. Can you imagine msmash having all his leaks plugged when he had the sex change operation? Heh heh heh...
Hiding results is all fine, but... by Lead+Butthead · 2017-06-23 03:26 · Score: 3, Interesting

But do they still index and keep copies of it in house? (I bet real money they do.)

--
ELOI, ELOI, LAMA SABACHTHANI!?
About damn time. by Anonymous Coward · 2017-06-23 03:27 · Score: 1

I was really sick of my Hep C problems showing up when people I'm dating Googled me.
Good! by Anonymous Coward · 2017-06-23 03:28 · Score: 0

If you don't want everyone to know about your cirrhosis of the liver, don't drink.
Better Question by Voyager529 · 2017-06-23 03:30 · Score: 4, Insightful

Better question: Why are such records stored on servers sufficiently accessible that Google can index them in the first place?
1. Re:Better Question by Anonymous Coward · 2017-06-23 03:47 · Score: 0
  
  Because... negligence.
  Because... Microsoft and summer interns.
  Because... no accountability.
  Because... If anything shows up on the internet, "it's google's fault"
2. Re:Better Question by Kazoo+the+Clown · 2017-06-23 03:51 · Score: 2
  
  People end up uploading their own information to public servers without realizing it. Or others, legitimately handling the information may end up not intending to make it public but store it in a location that ends up being insecure. This move by Google just sweeps it under the rug-- if it's publicly accessible, hiding it from search results doesn't make it suddenly inaccessible, it just means you can't use Google to find it. Only Google would think that makes it hard to find. If it's personal health information, it must have a "person" identified, and that person could, theoretically, be notified so they can "fix" the problem, or at least decide if they care...
3. Re:Better Question by Gravis+Zero · 2017-06-23 04:12 · Score: 1
  
  Better question: Why are such records stored on servers sufficiently accessible that Google can index them in the first place?
  Because there are no penalties for shitty security.
  
  --
  Anons need not reply. Questions end with a question mark.
4. Re:Better Question by clodney · 2017-06-23 04:46 · Score: 3, Interesting
  
  Better question: Why are such records stored on servers sufficiently accessible that Google can index them in the first place?
  Because there are no penalties for shitty security.
  Maybe, maybe not. In the USA, the HIPAA acts governs how medical providers and affiliates are required to deal with PHI (protected health information). There are indeed significant penalties associated with disclosure of PHI, and there is no exemption for malware or other bad actors. Even more alarming for the healthcare industry, HIPAA includes *personal* liability, not just corporate liability (http://managedhealthcareexecutive.modernmedicine.com/managed-healthcare-executive/content/tags/hipaa/hipaa-rule-makes-you-personally-liable), so PHI security is taken very seriously.
  But HIPAA doesn't govern what I can do with my own medical records - if I want to post them on a publicly accessible website that is just fine. And since records are required as input to all sorts of medical research and software development projects, anonymized and pseudonymized data is everywhere. I have personally seen CT studies claiming to be for Frodo Baggins, Meriadoc Brandybuck, and Daffy Duck. Those are not PHI and are not an issue under HIPAA, but I don't know whether or not Google would be smart enough to recognize these as not actual medical records.
5. Re:Better Question by Anonymous Coward · 2017-06-23 05:13 · Score: 0
  
  Because... negligence.
  Because... no accountability.
  Thank the government and HIPAA act for that. Good luck suing health organization for negligence.
6. Re:Better Question by Anonymous Coward · 2017-06-23 06:13 · Score: 0
  
  In practice HIPAA is rarely used against "bad actors". In just about every single hospital encounter my family has been involved with HIPAA was violated multiple times by doctors and nurses (multiple different patients, different doctors, different hospitals). Some of the breaches family members cared about, others were "harmless" but violations nonetheless. It is clear the people who actually work in the medical industry have no regard for the sensitivity of health information. It is also clear, based on the prevalence of these incidents, that no one is suffering consequences for breach. If these people thought there even could be some enforcement then they would not be leaking information everywhere.
  Digital breach of HIPAA is scary to companies though because someone can much more easily save "proof" of the violation and the victim can probably claim/suffer much larger damage. I am sure it is much harder to 'justify' enforcement when the violation is discreet, verbal, or through careless handling of physical documents and damage is relatively contained.
7. Re:Better Question by clodney · 2017-06-23 06:25 · Score: 1
  
  In practice HIPAA is rarely used against "bad actors". In just about every single hospital encounter my family has been involved with HIPAA was violated multiple times by doctors and nurses (multiple different patients, different doctors, different hospitals). Some of the breaches family members cared about, others were "harmless" but violations nonetheless.
  When I referenced "bad actors", I meant that the health system is not absolved of responsibility if they get hacked - it is still a breach, and they are still liable. The bad actors who committed the breach would be liable under other laws like CFAA, but didn't have the duty to safeguard PHI in the first place.
  Sorry to hear about your experiences with HIPAA violations. I work with the IT groups of hospital systems, and those people are terrified of HIPAA violations. There are pretty broad exceptions to HIPAA relating to delivery of care, and I can well believe that translates to more casual attitudes at the point of care. FWIW, I think they PHI notice you have to be given by the hospital should include contact information on how to make a complaint if you want to follow up.
8. Re:Better Question by Anonymous Coward · 2017-06-23 07:27 · Score: 0
  
  I got your point and the summary of my counterpoint is that while HIPAA exists, it does not seem to be truly enforced in such a way that anyone is truly scared of 'technical' violations. Companies/liable parties are only scared if they think someone might act on the information or it otherwise becomes a *publicly visible* problem. But just like credit card breaches, the first step is to sweep everything under the rug and handle any actual issues as best as possible.
  While I didn't bring this up initially, given you work with the IT groups I am sure you may know how many violation of HIPAA go on when various IT consultants, administrators and other parties have access to large amounts of sensitive information that they really should not have access to. Data is rarely secured properly to prevent access from these people who are not technically cleared to see the data. Once again - no one cares about technical breaches of HIPAA, they only would care in the case of spectacular failure or true malicious violations.
  People only care if people they know or deal with have access to PHI. It would be bad if there is some sort of indexed site that would allow someone to find out you have herpes by searching your name OR some similar level of disclosure. But no one cares if the dark web knows you have herpes. Thus there is little real risk for shitty security because most breaches are not going to provide a nice clean interface to see if Jane Doe from Austin, TX, Age 25 has herpes. Through regulatory capture and other shadiness it will all get swept under the rug unless huge amounts of the public are harmed.
9. Re: Better Question by Anonymous Coward · 2017-06-23 08:54 · Score: 0
  
  By the way, Jane from Austin is riddled with herpes.
10. Re:Better Question by Anonymous Coward · 2017-06-23 09:55 · Score: 0
  
  Google's web spiders go everywhere. Somebody might just download/upload documents into a private folder in a public directory, then the web crawler finds it, creates an cache copy and wanders along. No different from using archive.org . Even the virus/worms/malware become archived within the saved zip and tar files.
11. Re:Better Question by Anonymous Coward · 2017-06-23 11:21 · Score: 0
  
  and even if it is accessible, isn't medical information supposed to be protected by law. Is Google legally protected here? Just because you CAN take something from an unlocked car...
12. Re:Better Question by Anonymous Coward · 2017-06-23 11:53 · Score: 0
  
  This move by Google just sweeps it under the rug-- if it's publicly accessible, hiding it from search results doesn't make it suddenly inaccessible, it just means you can't use Google to find it. Only Google would think that makes it hard to find. If it's personal health information, it must have a "person" identified, and that person could, theoretically, be notified so they can "fix" the problem, or at least decide if they care...
  I'm betting that Google thinks that this makes it not Googles problem.
HIPAA Violations by Anonymous Coward · 2017-06-23 03:33 · Score: 0

Google should also report the violators.
1. Re:HIPAA Violations by Scarletdown · 2017-06-23 12:04 · Score: 1
  
  But more likely, they would violate the reporters instead.
  
  --
  This space unintentionally left blank.
All of which gives me a great product idea. by cunina · 2017-06-23 03:59 · Score: 1

Specifically, a pay-per-use search engine that only indexes personal medical records. Want to deny coverage? Want to reject a job applicant? Want to filter your next Tinder date? MediSnoop them!
May and Will are not the same thing by Anonymous Coward · 2017-06-23 04:19 · Score: 0

The title says "will now hide" - the body and the article says "The search engine now "may remove" "
So how did the writer and editor at 'betanews', the poster and msmash get from one to the other?
as this is Google, I think it will certainly be "may remove", or "might remove" or "could remove" or "snowballs chance in hell of removal"...
1. Re: May and Will are not the same thing by Anonymous Coward · 2017-06-24 04:39 · Score: 0
  
  The betanews faggot and msmash are pumping shit weekly on /.
A better public service... by Gilgaron · 2017-06-23 04:28 · Score: 1

Do they also try to contact the webmaster and warn them that all their HIPA data is web accessible?
Yay by Anonymous Coward · 2017-06-23 04:38 · Score: 0

Good job finally fixing that google! Now if I could just figure out why my printer has been randomly printing out memes and goatse for the last two years
1. Re: Yay by coteriescavenger · 2017-06-23 04:59 · Score: 0
  
  Russians
Keep on censoring, Google by Anonymous Coward · 2017-06-23 04:59 · Score: 0

I sincerely hope it puts you on the path to irrelevancy as others fill in the void.
C'mon people, we need help to put up distributed services that can't be censored. Let's show the tyrants where they can stuff it!
drop filter .gov too and .mil by Anonymous Coward · 2017-06-23 05:00 · Score: 0

they should get rid of .gov and .mil as well... -- .gov is always suspect to incomplete inaccurate not updated info, and .mil (welll homeland should field that one already).... the .gov stuff is pretty easy to wget anyhow if someone want to create a separate index ... ps. should one get the latest tmz news and eavesdrops @ /// google.com/govleaks ?? old saying, loose lips sink ships... robots.txt blocks nada...
Better idea: by nuckfuts · 2017-06-23 05:31 · Score: 1

Medical service providers don't store personal medical records where web crawlers can access them.
1. Re:Better idea: by Anonymous Coward · 2017-06-23 05:59 · Score: 0
  
  Medical service providers aren't supposed to store personal medical records where web crawlers can access them.
Surprising Yes, But Wrong Surprise by Anonymous Coward · 2017-06-23 05:31 · Score: 0

That such information was not already obscured from search results may well come as something of a surprise to many people.
It's surprising alright. Not that Google was not already obscuring the information, but that Google had access to it in the first place.
Am I The Only One... by RobotRunAmok · 2017-06-23 08:16 · Score: 1

who read this and said "Now?" "Whaddya mean, 'NOW??'"